Looking overseas for answers to ID theft

Fraud far less common thanks to tighter privacy laws

Below:

Next story in Security

As U.S. lawmakers mull how to cure the blight of identity theft, privacy advocates suggest they look overseas, where tighter controls on personal data and credit cards make such fraud far less common.

Few experts believe other nations' data privacy laws are directly applicable to the United States, partly because the U.S. economy is greased by the convenience and efficiency of a detailed credit-reporting system.

But other countries' approaches could be instructive.

"We're behind much of the developed world," said Sen. Charles Schumer, D-N.Y., who is pushing a broad bill aimed at impeding the crime. "The major European countries are doing more than we are doing, and somebody can feel safer about giving information about themselves there than in America."

One such difference: Many countries don't use anything like Social Security numbers as universal identifiers, which serve as pass keys for criminals opening fraudulent accounts. Also, credit cards generally are harder to obtain and used less often.

Perhaps most importantly, many countries don't allow financial records and other data obtained on people for one purpose to be sold or shared without their consent.

As a result, some of the record-collating done by huge U.S. companies such as ChoicePoint Inc. — one of the aggregators whose records have become fodder for ID thieves — isn't allowed in most of Europe and Latin America.

"The default setting on most privacy laws is opt-in," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "In the U.S., it's opt-out."

The Federal Trade Commission estimates that more than 10 million Americans are victims of such crimes annually, costing individuals $5 billion and businesses $48 billion.

Comparable figures for other countries are difficult to obtain because of differing standards in how the crime is tabulated, defined and reported.

European officials said they could not provide statistics on identity fraud. However, European banks and officials say the crime is much less prevalent there in part because of the European Commission's data directive that took effect in 1998.

Among its wide protections, the directive requires that EU citizens be consulted about transfers of their personal information to third parties and given the chance to correct erroneous data. Exemptions are allowed for national security or criminal investigations.

Obtaining and using credit cards is more rigidly controlled, too, and that limits a fraudster's potential damage. In Swedish stores, for example, card transactions require a photo ID and a signature.

Most European consumers rarely use credit cards, instead paying for things with prepaid debit cards. Commonly those take the form of "smart" cards that have embedded chips instead of magnetic strips, which are easily read by criminals. Users slide the cards into a cash register and punch in a PIN to make a transaction.

Meanwhile, countries with less restrictive data rules — and wider use of credit — such as Canada and Britain have struggled with identity theft much more.

Reports of the crime in Britain have risen 600 percent in the last five years, said National Consumer Council spokeswoman Susanne Lace. The British government estimates that in 2002 the annual cost reached 1.3 billion pounds ($2.3 billion in today's dollars). Prime Minister Tony Blair has cited the rising costs as a reason why the United Kingdom needs secure national identity cards.

Surveys indicate that as many as 9 percent of Canadians have been victimized by ID theft, with 3 percent of the population hit in 2003 alone, according to Susan Gardiner, senior policy analyst at Industry Canada. Complaints to PhoneBusters, a fraud task force run by the Royal Canadian Mounted Police and Ontario authorities, jumped 63 percent in 2003.

In response, Canada enacted the Personal Information Protection and Electronic Documents Act, which fully took effect last year. Similar to a new law in Japan, the act requires businesses to get consent from Canadians before trading their personal information, and even then only allows "reasonable" data transfers. Citizens are entitled to see information stored about them and correct inaccuracies. A national privacy commissioner enforces compliance.

Such transparency is limited in the United States, where many consumers didn't even know about big data brokers such as ChoicePoint and Lexis-Nexis until the companies disclosed in recent months that dangerous information breaches had occurred.

Some of the proposals pending in Congress would shine more light on the industry, though none would go as far as Europe's laws.

One bill would require companies to inform consumers if their personal information were compromised. That would expand the California rule that set off this year's flurry of announcements of data breaches. Other measures would crack down on the dissemination of Social Security numbers.

The proposal backed by Schumer and Sen. Bill Nelson, D-Fla., would treat personal data dossiers like credit reports, since consumers are allowed to regularly see and correct those files and know who has accessed them. The bill would create an office of identity theft within the FTC and fund it with $60 million annually for five years.

Schumer acknowledged that the plan is less restrictive than some overseas rules, but he said constantly notifying consumers about the sharing of their data would be impractical.

"You don't want," he said, "to deluge people."

Copyright 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.